New York State Attorney General Setting Stage for Stricter Business Cybersecurity Regulations
If you’re considering upgrading your business' cybersecurity due to the rise of cybercrime, you may not have a choice soon. The New York State Attorney General has issued a fine of over $300,000 to a business that had multiple attacks but inadequate risk controls.
This business was a home health company based in New York called Personal Touch Holding Corporation (PTHC). New York State Attorney General Leticia James determined the company had ignored cyber risks. The cyber crime investigation revealed that the business’ oversight left the company vulnerable to attack. Their alleged missteps led to breaches that affected thousands of employees and customers.
Phishing Has Real-Life Consequences
In 2021, an employee of the PTHC clicked on a malicious Excel file in a phishing email. This allowed a cyber attacker access to sensitive health records stored in the business’ servers. The breach exposed HIPAA-protected health and employment records. These included social security numbers and other sensitive data. This breach left the personal data of over 750,000 people exposed to cyber criminals.
Where They Slipped Up
When addressing the reasons behind the hefty punishment, the Attorney General's report read:
"Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data."
PTHC is a healthcare company, so they are required to adhere to HIPAA data security compliance. According to the report, PTHC shared data with a third-party insurance broker. The insurance broker shared it with an enrollment software provider, who posted the data on an unsecured website.
This enrollment software vendor, Falcon Technologies, was held accountable for the breach as well. For the data mishandling, the Attorney General fined the vendor $100,000.
How This Could’ve Been Avoided
Phishing is when cyber attackers send fraudulent emails spoofed to look like legitimate senders. Cybercriminals send them in attempts to gain access to personal information. Regular phishing training for employees is a great way to mitigate the risks of phishing. These training courses should be:
- Conducted at least once per year, ideally more frequently.
- Short and consumable to make it easier for employees to complete.
- Interactive so users retain what they learn.
- Clear and informative on how to spot phishing emails.
Most managed cybersecurity and IT service companies offer intuitive phishing training courses. They can help you integrate these courses seamlessly into your business culture. To learn more about how to train employees on email security, read our blog: Top 6 Email Security Tips for Employees.
Mishandling Sensitive Data Can Get Your Business In Hot Water
Industries like healthcare and finance already must comply to data protection regulations. HIPAA and the Gramm-Leach-Bliley Act are among the regulations that hold them responsible. News like this might be a sign of more industries being held liable for their cybersecurity policies. The mishandling of sensitive data was another slip-up of PTHC, leading to the hefty fine.
In 2022, a PTHC employee discovered that employment records were accidentally posted online. This data included social security numbers and other records of 1000 past and current employees.
This mishandling of sensitive information was a huge oversight by PTHC. Leaking sensitive data like social security numbers can put victims at risk for:
- identity theft
- credit card fraud
- compromised accounts
- tax fraud
- plummeted credit scores
Even though it seems like this couldn't happen to your business, cybersecurity awareness training is a great way to lessen the risk.
In any business, the biggest cybersecurity risk is human error. To read about other common mistakes employees make that lead to attacks, read our article: Top 3 Human Errors That Lead to Cyber Attacks.
Other Consequences For PTHC
The NYS AG also required PTHC to create a comprehensive cybersecurity plan, as well as a plan to assist those affected by the breach. The list of cybersecurity safeguards James mandated for the company included:
- Improved authentication procedures, including the use of multi-factor authentication.
- Encryption of sensitive information
- Implementation of an anti-malware program and an intrusion detection and prevention solution.
- Vulnerability management
- Periodic third-party security assessments
- Phishing training for employees, including annual mock phishing exercises.
Employees who failed the phishing courses had to take additional courses thereafter.
Many of these mandates for PTHC are industry-standard for network security. The company failed to address cybersecurity risks like phishing and staff cybersecurity awareness.
Yet, even if you already do some of these, it’s crucial to get ahead in cybersecurity. Attackers will go after the businesses with the weakest cybersecurity. It’s not about having the most advanced security- it’s about having enough of an edge in cybersecurity to reduce your chances of being a victim.
To learn more about cybersecurity best practices, check out our blog: Ask the Expert: 7 Cybersecurity Essentials To Check Off.
Cybersecurity Readiness is No Longer Optional
The costs associated with data breaches go far beyond lawsuits from exposed individuals. The NYS Attorney General is setting the stage for stricter compliance regulations for all businesses. Even if you don’t think your business is at risk, your cyber readiness must keep up with growing cyber threats.
If you want to up your cybersecurity game but don’t know where to start, check out our cyber essentials checklist.